Empfohlen wird auf dem Titel der Einsatz eines vollflächigen Hintergrundbildes (Format: 25,4 x 19,05 cm):
• Bild auf Master platzieren (JPG, RGB, 144dpi) • Bild in den Hintergrund legen
Safety Analysis based on IEC
61508: Lessons Learned and
the Way Forward
Jens Braband SAFECOMP 2006
Overview
Introduction (IEC 61508 and Railway Applications)
Definition of Operation Modes
SIL Allocation and SIL Table
SIL Capability and Safety Criticality
Properties and Rigor
Documentation Issues
Introduction
IEC 61508 is a basic safety publication for programmable electronic
systems (PES).
It serves either as a basis for the creation of sector-specific standards
or is applied as it stands.
It therefore needs to be generic.
In order to highlight certain problems, we have applied it as it stands to
some simple railway examples (although sector-specific standards do exist).
Where appropriate, we have also taken account of current proposals
PES: Railway Sector Application Examples Inte rloc king Automa tic train pro tection system
System according to IEC 61508 In general, a system consists of:
equipment under control (EUC): equipment used for manufacturing,
process, transportation, ...:
an EUC control system
Definition
The way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it.
Two modes exist:
– low-demand mode: in which the frequency of demands for operation made on a safety-related system does not exceed once per year
or twice the proof-test frequency.
– high-demand or continuous mode: in which the frequency of demands for operation made on a safety-related system exceeds once per year or twice the proof-test frequency.
Note: In the new CD for IEC 61508 the reference to the proof-test frequency has been deleted.
ATP Example
Automatic train protection (ATP)
system stops the train if the
driver passes a signal at danger (SPAD).
System safety depends on both
the reliability of the driver and
the ATP system.
Application example:
Eurobalise (ETCS Level 1)
Example: Hazard rate of 2x10-6
per train per hour
S afe ty -re la ted P E S 2 Transparent-data balise 3 Fixed balise 4 Vehicle antenna
5 Interrogator On-board unit with peripheral equipment 1 Lineside electronic unit (LEU)
Problems with Modes of Operation Problems for railway applications:
Proof-test intervals as in the process industry are often not available,
although diagnostic self-checks may be performed every few minutes.
The demand rate often depends on the reliability of the human
operator (with him acting as a control system) and the operation profile, so it may be argued that the ATP system is both a low-demand system and a continuous mode system.
The distinguishing frequency (once a year) is not reasoned and
The Great Question: How Safe is Safe Enough?
Besides general requirements, IEC 61508 provides some 30 pages of informative risk analysis examples, including:
a typical MIL-STD risk matrix (mixed with ALARP)
a very simple probabilistic approach
a general risk graph and
a kind of three-dimensional risk matrix
This guidance is, however, of little use, as
the examples cannot be directly applied in any sector.
it fails to explain how to adapt and calibrate any of the methods.
ALARP as low as reasonably practicable MIL-STD US military standard
Safety Integrity Level Definition Unavailability of safety function? (IEC 61703) Instantaneous hazard rate? (IEC 61703) IEC 61508 – Definition:
SIL Allocation Issues
Step 1: definition of overall safety target and selection of
appropriate quantitative and qualitative figures
Step 2: apportionment to ATP, taking into account other
risk reduction factors
PdFH probability of dangerous failures per hour PES programmable electronic system
PFD probability of failure on demand T Proof-test interval
2
T
S H=
λ
×
λ
×
λ
Hazard & ATP fails ... SPAD 1/λ ATP failure Demand Hazard 1/λS 1/λH PFD PdFHATP automatic train protection SPAD signal passed at danger
SIL Definition Problems (1)
Ambiguous definition of PdFH in IEC 61508 – same concept as
instantaneous failure rate or hazard rate?
Why is the concise terminology of IEC 61703 not used?
SIL is defined for complete safety functions only, but in practice used
mainly for hardware or software components.
Strong dependence of the PFD on proof-test intervals
This leads to contradictions, e.g.
requirement based on PdFH specifies design of ATP according to
SIL 1,
requirement based on PFD depends on proof-test interval and
SIL Definition Problems (2)
According to IEC 61508, the SIL 1 requirement applies to the entire
ATP system, i.e. sensors, communication, PES and actuators.
However, the PdFH or hazard rate for the PES may be much smaller,
say 2x10-7 per train per hour (depending on the apportionment, e.g. by
FTA).
Question: Is SIL 1 still sufficient for the sensors, communication, PES
The Way Forward: Integrated SIL Allocation
Independently proposed and
justified by Sato
No definition of modes of
operation necessary
Unified SIL determination
using new metric:
mean time to hazard (MTTH)
λ
Sλ
μ
λ
S2/T
00
10
01
11
λ
1/MTTHModel Evaluation
Index denotes the initial state
Model can be explicitly solved
Result is an explicit solution for MTTH
00 10 00 01 10 01 00
2
2
2
1
1
1
MTTH
T
T
T
MTTH
MTTH
MTTH
MTTH
MTTH
MTTH
S S S S S S+
+
+
=
+
+
+
=
+
+
+
+
+
=
λ
λ
λ
μ
μ
λ
μ
λ
λ
λ
λ
λ
λ
λ
λ
Proposal for a Harmonised SIL Table
Relates to real-life performance
Unambiguous SIL determination
Integrates all relevant parameters into SIL determination
> 10 years 1 > 100 years 2 > 1,000 years 3 > 10,000 years 4 MTTH SIL
Problems: SIL Capability and Safety Criticality (1)
SIL capability: measure of the confidence that an element safety
function will not fail due to relevant systematic failure mechanisms when the element is used in accordance with the instructions given in its element safety manual
Safety criticality: extent to which a deviation from the specified
functionality of an element has the potential to create a hazardous situation
Categories:
C3: single failure is hazardous
C2: second (independent) failure is hazardous
C1: interference free
Based on the safety criticality category, safety functions may be
Problems: SIL Capability and Safety Criticality (2)
IEC proposal:
A SIL X element safety function may be implemented by two
(independent) SIL X-1 elements, provided both elements have SIL criticality C2.
ATP example:
The PES may be implemented by two independent SIL 0 elements, i.e. two (different) PCs with either two separate SIL 0 voters or one common SIL 1 voter.
So far, no easy concept for SIL combinations has been validated,
and each individual case must be closely scrutinized (e.g. FMEA/FTA, with a very careful consideration of common-cause failures).
Also, the terminology is misleading (criticality has a different meaning
New Concepts: Properties and Rigor
IEC 61508-3 has extensive tables for the selection of fault avoidance
measures for particular SILs.
However, many alternatives are possible:
“Appropriate techniques/measures shall be selected according to the safety integrity level” is a standard note for each table and no rules are imposed on the possible combinations.
In maintenance, levels of rigor were introduced to assess the
achievement of a property:
R1: No, or limited, objective acceptance criteria
R2: Objective acceptance criteria
Properties and Rigor: Example
“However, many factors affect systematic and software safety integrity, and it is not possible to give an algorithm for selecting and combining the
techniques in a way that is guaranteed in any given application to achieve the desirable properties. ….”
Properties and Rigor: SIL Guidance
While the rigor of a great variety of techniques is evaluated in more
than 10 tables with respect to many properties, no combination or acceptance rules are given for determining what level of rigor (or combined levels) is (are) appropriate for which SIL.
Last, but not Least: Documentation (1)
The requirements for documentation are fairly general.
For example:
The documentation shall contain sufficient information …
In particular, a more detailed structure for safety documentation would
facilitate the cross-acceptance of products in different application sectors.
The safety case concept, which has improved cross-acceptance in the
Last, but not Least: Documentation (2)
A standard structure for safety
documentation should be introduced.
The approach can be supported
with structured notations for safety arguments.
The Goal Structure Notation
(GSN) should be recommended. 6: Safety Qualification Tests 5: Safety-related application conditions 4: Operation with external influences 3: Effects of Faults 2: Assurance of Correct Functional Operation 1: Introduction TECHNICAL SAFETY REPORT
The Way Forward: Conclusions
Use mathematically concise, standard terminology which is consistent
(at least) with other IEC standards.
Abandon the distinction between different operation modes.
Delete sections on risk analysis or give clear guidance for calibration
of methods.
Make sure that SIL determination is unambiguous, e.g. by a single
target metric such as MTTH.
Use only validated concepts and explain them fully.
References
Braband, J.: Risikoanalysen in der Eisenbahn-Automatisierung,
Eurailpress, 2005 (Risk analyses in railway automation)
Braband, J.: Ein Ansatz zur Vereinheitlichung der Betriebsarten und
Sicherheitsziele nach IEC 61508, Proc. EKA 2006 (An approach to
the standardisation of operating modes and safety targets in accordance with IEC 61508)
IEC 61508, Functional safety of electrical/electronic/programmable
electronic safety-related systems, 2000
IEC 61703: Mathematical expressions for reliability, availability,
maintainability and maintenance support terms, 1999
Yoshimura, I., Sato, Y., Suyanma, K.: Safety Integrity Level Model for
Safety-related Systems in Dynamic Demand State, Proceedings of the 2004 Asian International Workshop on Advanced Reliability Modeling (AIWARM 2004), Hiroshima, 577–584